Is your car secure? Maybe not, but enterprise users can still learn something

In some cases, the automotive industry can serve as an example on how not to do security

If you're looking for a good lesson in enterprise security, there might be a few sitting in the parking lot. The automotive field is a glaring example of "worst practices" in security, say several automotive experts. And, the problem is only getting worse, not better.

Over the past few years, the cars have come under fire for many things -- constant recalls, safety hazards, and diesel-engine tricks to name a few-- but security experts have noticed a disturbing trend.

While it might be hard to break into a BMW unless you have a rock handy, there hasn't been as much effort in protecting wireless signals, establishing standards, creating new regulations and laws, and patching much more aggressively.

Experts tell CSO that the automotive field needs to address some of these issues, especially as cars become more high-tech and start connecting to the infrastructure around us, road signs, and to each other. It also shows how security has to keep pace with innovation.

[ ALSO ON CSO: Once your car's connected to the Internet, who guards your privacy? ]

Most importantly, those who work in enterprise security should start paying attention to see how the problem is resolved, because changes will be coming soon.

The problem is getting worse

It's easy to see how far car technology has advanced. Google has been able to let a car drive on its own in traffic. In Michigan, there's a test underway where cars can communicate with each other. Tesla has built a massive electric car charging infrastructure.

Yet, as Dave Sullivan with the automotive analyst firm AutoPacific points out, there are constant signs of trouble. Nissan made an app for their Leaf electric car but then found it was easily hackable and promptly removed it. "This is a whole new world for automakers," says Sullivan.

"They are venturing into an area that is still very new and very fresh with the inability to update security vulnerabilities quickly. This can easily be patched on say a smartphone."

Dave Sullivan, automotive analyst, AutoPacific

Instead of aggressive patch schedules, automakers tend to test longer and adhere to rigid safety standards, but don't follow the smartphone model. Sullivan says this needs to change, that automakers should be paying ethical hackers a bounty to try and break the wireless security in a car and then issue patches. This is far less expensive, he says, than a recall.

Diogo Mónica, a security researcher and chair of the Institute of Electrical and Electronics Engineers Public Visibility Committee, told CSO there's hasn't been much progress.

He says car companies are too cavalier about penetration testing. He agreed with Sullivan that this leads to massive recalls because, given the patch cycles for cars, it's often too late when they add a new app or some communication feature in the car and a vulnerability is found.

Enterprise security lessons

You may have noticed already there are many lessons to learn.

Ironically - given their brilliant automotive innovations - one example of good security for phones is Google. Sullivan noted how Google aggressively patches the Nexus line. With Chrome OS and the Chrome browser, the Internet giant puts automakers to shame as well. Google updates its software in the background and patches constantly, but the end-user barely notices. Your typical Ford or Buick has nowhere near that level of sophistication for security.

Another lesson is related to openness. Mónica noted how the automakers do not report on vulnerabilities as thoroughly and tend to hide behind a curtain, which creates a vicious cycle -- ethical hackers do not get any credit if they find a problem so they lose all incentive to help.

"They rely too much on security-through-obscurity," says Mónica.

"They rely on the fact that it is hard to inspect what software is actually running inside of the car to provide security. This has been proven to be the wrong way to do security, and cars are the perfect example of it."

For the enterprise, it's much better to come clean about vulnerabilities when they occur and tap the security community for help, then to be more aggressive about including security experts in penetration testing rather than trying to obscure the process for them.

Mónica has another good example of what's broken. Researchers have been able to consistently break into the key fob used for unlocking cars. Automakers tend to make their own software for this and reinvent the protocols, but Mónica said they do a poor job. If it was a more open process, one that tapped existing expertise, the security would improve. For enterprise managers, this is a lesson in collaboration and involving outside experts.

What should be done

Inaction is not a good approach in this case. Monique Lance, a spokesperson for Argus Cyber Security, a company that works in the connected car field, says best practices in cybersecurity need to be injected into every stage of the manufacturing process, not as an afterthought.

[ MORE: Will your next car steal itself? ]

Lance says there is very little regulation when it comes to car security, although that is changing--slowly. The Spy Car Act of 2015 calls for new federal standards for car security. In Michigan, there's a Life Imprisonment Bill that would lock up car hackers for life. The SEA-issued J3601 guideline injects security practices into the manufacturing process.

The most important lesson? Do something. With security, letting a sleeping giant stay dormant and looking the other way is never a good approach.

Andy Gryc, a spokesperson for the auto industry and for what is now known as AutoMobility LA (instead of the LA Auto Show), told CSO that steps are being taken. For example, car makers are starting to phase out the older bus architecture (known as the Controller Area Network or CAN) used in cars in favor of a more secure architecture called E-AVB (Ethernet Audio Video Bridging Solution). "Techniques like white-box encryption or code obfuscation are just starting to get traction, and have mostly been absent from vehicle software designs," he added.

Sadly, Gryc said these changes take time to implement. There isn't enough momentum in an industry that is all about horsepower and automated driving. In enterprise security, there are some clear lessons, even if the automotive field hasn't learned any of them.

Join the CSO newsletter!

Error: Please check your email address.

More about ArgusAutoPacificBillCSOGoogleLanceTesla

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by John Brandon

Latest Videos

  • 150x50

    CSO Webinar: Will your data protection strategy be enough when disaster strikes?

    Speakers: - Paul O’Connor, Engagement leader - Performance Audit Group, Victorian Auditor-General’s Office (VAGO) - Nigel Phair, Managing Director, Centre for Internet Safety - Joshua Stenhouse, Technical Evangelist, Zerto - Anthony Caruana, CSO MC & Moderator

    Play Video

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

More videos

Blog Posts

Market Place